Credit Card transactions have become a preferred mode of payment for consumer goods to many consumers around the world. Due to the intangible nature of credit card information, and the ease by which it may be stolen and/or duplicated, security of credit card transactions has become a major issue. Issuers of credit cards strongly urge and motivate both users/customers and merchants to keep credit card information secure.
With the advent of the Internet and e-commerce (e.g. online purchases from a merchant's web site or web storefront) security of credit card information has become an even greater issue. Credit card information exchanged between a consumer and an online merchant travels over one or more unsecured networks where anyone of a number of parties may be able to duplicate the information and later use it as part of a fraudulent transaction. Various security techniques including encryption have been implemented by online merchants and/or credit card issuers to minimize the risk of credit card information theft on the Internet. However, other issues with online transactions stem from the fact that the consumer and the merchant in an online transaction are not in the same physical location. In online transactions, the merchant is not able to inspect the consumer to confirm that the consumer is the actual owner of the credit card being charged. On the other side, the consumer can not be sure, until after he or she receives a credit card bill, what is the exact amount the merchant is charging to his or her credit card.
Trying to address the above mentioned security problems, Visa International has been working on a new initiative called Visa 3D Secure. Visa International, together with E-Visa (the Visa US E-commerce division) are proposing a system called 3D Secure for Payer Authentication. The objective of Visa's 3D-Secure initiative is to verify cardholder account ownership during an electronic commerce purchase transaction. Visa's objectives are to create a virtual “card present” environment online and to move towards guaranteed payments to the merchant, much the same as they are in the offline world.
In general, Visa 3D-Secure protocol is not a payment protocol, but a payer authentication and receipt signing protocol whose objectives are to verify the account ownership of the payer during a transaction, and to provide the merchant with the equivalent of a signed receipt. There are four participating parties in the protocol: merchants, issuers, cardholders and Visa itself
Participating merchants are required to integrate a plug-in (Merchant Plug-In—MPI) component into their Web storefronts and need to use a Validation Server to prove the authenticity of the digital signature on the transactions. Participating issuers are required to install two servers—the Enrollment Server that is used to register cardholders to the service, and the Access Control Server (ACS) that is used to authenticate the cardholders during the transactions. In addition, those issuers are required to register at Visa, to pass the relevant information (participating number ranges and ACS URLs) to Visa and to receive a private key that will be used to sign receipts.
Participating cardholders need just to register against their issuer and to choose an appropriate password that will be used to authenticate them before signing their receipts.
Visa either operates or will soon operate a central Visa Directory Server (VDS) that serves as a repository for the participating card number ranges and their associated ACS URLs.
The 3D-Secure protocol itself is based on two sets of request/response messages sent from the merchant's MPI to the issuer's ACS—the Verify Enrollment Request/Response (VEReq/VERes) and the Payer Authentication Request/Response (PAReq/PARes). The first request is used to check whether a specific card is enrolled in the service, and the second request is used to ask the issuer to authenticate the payer identity.
There are several components in the proposed 3D-Secure environment that are distributed between the issuer, the merchant and Visa:
At Visa:
                1. VisaNet is a wide area network operated by Visa and responsible for switching credit card transactions from acquirers to issuers and to handle settlement of those transactions. Note that some local or domestic transactions won't be routed through VisaNet, but will be routed through local networks that are operated by national bodies, by third party processors or by the acquirers themselves.        2. The Visa Directory Server (VDS) is responsible for managing the list of participating card ranges and their appropriate ACS servers. This component acts as a central directory of all participating issuers, to allow the MPI to reach the proper ACS when needed.At the Issuer:        3. The Access Control Server (ACS) is responsible for two tasks; (1) the first task is being to provide the merchant with information on whether or not a card is enrolled in the 3D-Secure service, and (2) the second being to present to the card holder the transaction receipt for the cardholder to approve, to authenticate his identity and to sign the receipt on his behalf.        4. The Enrollment Server is responsible for enrolling cardholders to the issuer's 3D-Secure service. This includes receiving cardholder enrollment requests (usually via the Web), receiving from the cardholder authenticating information, allowing the cardholder to select his password and registering the cardholder in the account holder's file.        5. The Authorization Server receives authorization requests from VisaNet, checks whether the cardholder has enough funds and/or credit and that the transaction is not susceptible to fraud. It then responds with an approve/decline authorization reply.        6. The Account Holders File holds the cardholder information needed to operate the 3D-Secure service. This information will usually be accessed through the cardholder PAN. This information includes the status of the cardholder enrollment, the information needed to authenticate the cardholder during the enrollment process and information used to authenticate the holder during the transaction process.        7. The Receipt File (optional) holds all the receipts that were signed during the 3D-Secure payer authentication process. It may be used to facilitate more efficient “Request for Copy” processing.        8. The Transaction Log File (optional) holds the entire log of all 3D-Secure transactions, including those that didn't pass authentication. This includes logs of the merchants' requests for authentication, the cardholder input during the process and the ACS response.At the Merchant        9. The Storefront is responsible for all the merchant's interaction with the customer—from presenting the merchandise to him, to enabling him to search and browse the catalog, to managing his shopping cart, to accepting checkout payment and shipping instructions from the customer and finally to presenting him the receipt and getting his approval.        10. The Merchant Plug In (MPI) has three tasks: (1) The first task is to interact with the merchant's storefront (and possibly with the user account and transaction files) to receive the relevant transaction details at the proper time (usually at the receipt approval time) and to initiate the 3D-Secure process; (2) The second task is to check whether the card is enrolled in the 3D-Secure service, and to find which ACS is handling this card; and (3) The third task is to redirect the transaction details to the appropriate ACS, and to get the signed receipt in response for authentication of the card holder.        11. The Validation Server is responsible for checking whether the receipts the merchant gets from the ACS are signed properly. This component can run either as part of the MPI (“Thick client MPI”) or as another server (“Thin client MPI”).        12. The Receipt File is responsible for storing the signed receipts and later retrieving them in order to satisfy “Request for Copy” requirements at a time of dispute.        13. The Point of Sale (POS) is responsible to connect the merchant with his acquirer, to perform credit card transactions—from receiving authorizations, to capture the transactions for settlement and to making various adjustments if needed.        
For purposes of clarity and completeness of disclosure, directly below is a list of terms and acronyms associated with credit card transactions in general and with the 3D-Secure protocol in specifically:
Credit Card Terms and Acronyms    (Credit Card) Issuer—The financial institution that deals with cardholders ? that issues cards for them and that loans them money.    (Credit Card) Acquirer—The financial institution that deals with merchants who accept credit card payments.    (Credit Card) Cardholder—The holder of a credit card.    (Credit Card) Authorization—The process in which a credit card transaction is authorized by the issuer.    (Credit Card) Settlement—The process in which actual funds are transferred between the relevant parties in a transaction between the issuer, the acquirer, the merchant and Visa.    (Credit Card) Chargeback—When a cardholder disputes a transaction and tries to get back his money. This process is governed by Visa rules and regulations.    Request for Copy—The process during chargeback processing where the issuer requests a copy of the receipt from the acquirer. This copy is needed for dispute resolution.    VisaNet—A wide area networked owned and operated by Visa that's used to transfer credit card transaction messages (authorizations, settlements, chargebacks, ?) between participating financial institution. A similar network is operated by MasterCard and by other similar institutions.    VAP/Visa Access Point—The device used to connect an issuer or an acquirer to VisaNet. MasterCard has a similar device called MIP or MasterCard Interchange Point. An issuer can have more than one VAP or MIP.    (Credit Card) POS/Point Of Sale—Is the device used by merchants to connect to the credit card network and to process credit card transactions.    (Credit Card) PAN/Primary Account Number—Is the number that shows on top of the credit card, and that should be used for making electronic commerce transaction with that card.    Card Present/Card Not Present Transaction—Are transaction where the actual card is present or not (respectively) in the transaction. An electronic commerce transaction is a “Card not present” transaction.    On Us Transaction—Are transaction where the acquirer and issuer involved are the same one, or are processed by the same processor. In this case there is no need to switch the transaction though VisaNet.
Visa 3D-Secure Terms and Acronyms    PA/Payer Authentication—Is the 3D-Secure protocol responsible for authenticating the identity of the payer in an electronic commerce transaction.    SET/Secure Electronic Transaction—Is an older standard attempt by Visa and MasterCard. Unlike 3D-Secure, this standard dealt with all the steps of an electronic commerce transaction: cardholder authentication, transaction authorization and capture.    ACS/Access Control Server—Is a 3D-Secure component that sits at the issuer and that's responsible for handling the issuer's parts of the PA protocol.    MPI/Merchant Plug-In—Is a 3D-Secure component that sits at the merchant and that's responsible for handling the merchant's parts of the PA protocol. VDS/Visa Directory Server—Is a 3D-Secure component that sits at Visa and that serves as a central directory of all the ACS and their corresponding card number ranges.    Enrollment Server—Is a 3D-Secure component that sits at the issuer and that's responsible for handling enrolment requests for cardholders that wish to enroll to the service.    VEReq/Verify Enrollment Request—Is the 3D-Secure message that is used to query whether a specific card is enrolled in the service.    VERes/Verify Enrollment Response—Is the response for the VEReq message.    PAReq/Payer Authentication Request—Is the 3D-Secure message that is used to ask the ACS to authenticate the payer identity and to sign the receipt on his behalf.    PARes/Payer Authentication Response—Is the response for the PAReq message.
Turning now to FIG. 1, there is shown a system level diagram depicting the interactions between various 3D Secure components during a credit card transaction. Depicted in FIG. 1 are the steps by which a transaction may be consummated in accordance with the 3D Secure standard:                1. A cardholder may surf the Internet and initiate an online purchase. During the purchase process, the cardholder may be required to provide his credit card manually.        2. At the last confirmation page of the Merchant's web-site or “Store Front”, right before the deal is made—the Merchant's web site may activate its plug-in. Upon activation, it supplies the plug-in with the card number and transaction details to be signed by the cardholder. These transaction details are referred to as the Receipt.        3. The plug-in may connect to the Visa Directory Server (VDS) to find out if this card is enrolled in the system. The request is processed and received with a VerifyEnrollmentRes message.        4. If the card is enrolled, the Visa Directory Server (VDS) replies to the plug-in with the URL of the appropriate issuer's Access Control Server (ACS). If the card is not enrolled, the VDS replies with a “Not Enrolled” answer. The reply is processed by the VerifyEnrollmentRes message. Upon receiving a “Not Enrolled” answer—the Merchant continues to process the order conventionally. If the card is not enrolled—the cardholder may get the normal “Thank you” page and the card number will be passed to the acquirer for conventional authorization.        5. If the card is enrolled, the Merchant plug-in may reply to the cardholder's browser with a redirect to Issuer's Access Control Server's (ACS) URL. This redirect message carries the Receipt to be signed (PAReq message).        6. The Issuer's Access Control Server (ACS) may authenticate the cardholder and request transaction confirmation. It is up to each Issuer to select an authentication method (e.g. Password or PIN). When confirming the transaction, the cardholder may typically see the receipt as was sent by the Merchant.        7. The cardholder may accept the transaction.        8. The Issuer may digitally sign the receipt and return it to the Merchant. The Merchant may verify the content of the receipt and the validity of the signature.        9. The Merchant may send the signed receipt to the Acquirer.        10. Payment between the Acquirer and the Issuer remains unaffected.        
At the end of each purchase using a 3D Secure system, the 3D Secure protocol provides the merchant with a receipt which was digitally signed by the Issuer on behalf of the cardholder. This receipt may be used as “card present” evidence by the merchant in case of dispute originated by the cardholder. Furthermore, the issuer now has a list of all Receipts that include such information as Merchant URL, amount, description of goods, etc. This can be presented to the user in an orderly manner through the Issuer's online banking system.
However, the 3D Secure solution has many shortcomings, including doing nothing to secure the customer's position in the transaction and to secure the customer's credit card information. 3D Secure does not solve data security issues. Once a cardholder's card number has been released to the Merchant, there is no way of guarding its integrity. Merchants may misuse the number or their sites may be hacked.
Many cardholders are still afraid to put their card on the Web. Using 3D Secure, they still have to enter the card number into Merchant sites. This may deter many from shopping online.